Lock down path to production

Problem to solve

Companies need to enforce a compliant path to production.

Target audience

Release Managers and Security compliance analysts

Further details

Enterprises have various compliance needs, and some compliance can be handled through proper auditing and a standardized, prescriptive deployment pipeline, but some compliance targets need to enforce certain aspects of the path to production. e.g. that certain security tests have run and passed, that qualified people trigger deployment to production, that build images are created in a certain fashion, etc.

Proposal

Lock down each of:

CI/CD code

CI/CD code execution

CI/CD data

Build execution

e.g. Enforce code+runner+data+binauthz

Lock .gitlab-ci.yml so only admins can modify it. There are actually a number of ways to do this; these are related and you can imagine more:

Lock attestation signature token so only available to locked code, and use it for signing during CI pipeline or release creation (#7268). Optionally, enforce various kinds of attestations (security test ran, compliance checks, etc., possibly using gitlab-ce#56030)